This repository has been archived by the owner on May 12, 2021. It is now read-only.
/
test_kerberos_end_to_end.sh
executable file
·150 lines (133 loc) · 4.71 KB
/
test_kerberos_end_to_end.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#!/bin/bash
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# An integration test for the client, using the vagrant environment as a testbed.
set -eux
readonly KRB5_MAJOR_MINOR=1.17
readonly KRB5_VERSION=1.17
readonly KRB5_URL_BASE=http://web.mit.edu/kerberos/dist/krb5/
readonly KRB5_TARBALL=krb5-$KRB5_MAJOR_MINOR.tar.gz
readonly KRB5_KEY_IDS=(5F8372DF 253AAB87 0055C305)
readonly SCHEDULER_HOSTNAME=aurora.local
function enter_vagrant {
exec vagrant ssh -- /vagrant/src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh "$@"
}
function enter_testrealm {
cd $HOME
[[ -f $KRB5_TARBALL ]] || wget "$KRB5_URL_BASE/$KRB5_VERSION/$KRB5_TARBALL"
[[ -f $KRB5_TARBALL.asc ]] || wget "$KRB5_URL_BASE/$KRB5_VERSION/$KRB5_TARBALL.asc"
gpg --list-keys ${KRB5_KEY_IDS[@]} &>/dev/null || gpg --keyserver pgp.mit.edu --recv-keys ${KRB5_KEY_IDS[@]}
gpg --verify $KRB5_TARBALL.asc
[[ -d `basename $KRB5_TARBALL .tar.gz` ]] || tar zxvf $KRB5_TARBALL
cd `basename $KRB5_TARBALL .tar.gz`
mkdir -p build
cd build
[[ -f Makefile ]] || ../src/configure
make
# Reinvokes this script with a full kerberos test realm configured.
SHELL=$0 exec make testrealm
}
function await_scheduler_ready {
while ! curl -s localhost:8081/vars | grep "framework_registered 1"; do
sleep 3
done
}
readonly SNAPSHOT_RPC_DATA="[1,\"snapshot\",1,0,{}]"
readonly SNAPSHOT_RESPONSE_OUTFILE="snapshot-response.%s.json"
function snapshot_as {
local principal=$1
kinit -k -t "testdir/${principal}.keytab" $principal
curl -u : --negotiate -w '%{http_code}\n' \
-o $(printf $SNAPSHOT_RESPONSE_OUTFILE $principal) \
-v "http://$SCHEDULER_HOSTNAME:8081/api" \
-H "Content-Type:application/vnd.apache.thrift.json" \
--data-binary "$SNAPSHOT_RPC_DATA"
kdestroy
}
function setup {
cat >> $KRB5_CONFIG <<EOF
[domain_realm]
.local = KRBTEST.COM
EOF
aurorabuild all
sudo cp /vagrant/examples/vagrant/systemd/aurora-scheduler-kerberos.service \
/etc/systemd/system/aurora-scheduler-kerberos.service
sudo systemctl stop aurora-scheduler || true
sudo systemctl daemon-reload
sudo systemctl start aurora-scheduler-kerberos
await_scheduler_ready
kadmin.local -q "addprinc -randkey HTTP/$SCHEDULER_HOSTNAME"
rm -f testdir/HTTP-$SCHEDULER_HOSTNAME.keytab.keytab
kadmin.local -q "ktadd -keytab testdir/HTTP-$SCHEDULER_HOSTNAME.keytab HTTP/$SCHEDULER_HOSTNAME"
kadmin.local -q "addprinc -randkey vagrant"
rm -f testdir/vagrant.keytab
kadmin.local -q "ktadd -keytab testdir/vagrant.keytab vagrant"
kadmin.local -q "addprinc -randkey unpriv"
rm -f testdir/unpriv.keytab
kadmin.local -q "ktadd -keytab testdir/unpriv.keytab unpriv"
kadmin.local -q "addprinc -randkey root"
rm -f testdir/root.keytab
kadmin.local -q "ktadd -keytab testdir/root.keytab root"
}
function test_snapshot {
snapshot_as vagrant
cat snapshot-response.vagrant.json
grep -q 'lacks permission' snapshot-response.vagrant.json
snapshot_as unpriv
cat snapshot-response.unpriv.json
grep -q 'lacks permission' snapshot-response.unpriv.json
snapshot_as root
cat snapshot-response.root.json
grep -qv 'lacks permission' snapshot-response.root.json
}
function test_clients {
sudo cp /vagrant/examples/vagrant/clusters_kerberos.json /etc/aurora/clusters.json
kinit -k -t "testdir/root.keytab" root
aurora_admin set_quota devcluster kerberos-test 0.0 0MB 0MB /dev/null 2>&1 | grep 'OK' | true
aurora update pause devcluster/role/env/job /dev/null 2>&1 | grep 'No active update found' | true
kdestroy
}
function tear_down {
local retcode=$1
sudo cp /vagrant/examples/vagrant/clusters.json /etc/aurora/clusters.json
sudo systemctl stop aurora-scheduler-kerberos || true
sudo rm -f /etc/systemd/system/aurora-scheduler-kerberos.service
sudo systemctl start aurora-scheduler || true
if [[ $retcode -ne 0 ]]; then
echo
echo '!!! FAILED'
echo
fi
exit $retcode
}
function main {
if [[ "$USER" != "vagrant" ]]; then
enter_vagrant "$@"
elif [[ -z "${KRB5_CONFIG:-}" ]]; then
enter_testrealm "$@"
else
trap 'tear_down 1' EXIT
setup
test_snapshot
test_clients
set +x
echo
echo '*** OK (All tests passed) ***'
echo
trap '' EXIT
tear_down 0
fi
}
main "$@"